Apple has pushed an update to XProtect to improve detection of ThiefQuest

Apple has pushed an update to the data files used by XProtect, bringing its version number to 2126, dated 13 July 2020. This is another out-of-cycle update, and appears intended to detect more variants of the ThiefQuest/EvilQuest ransom/malware.

Apple doesn’t release information about what these updates add or change, and now obfuscates the identities of malware detected by XProtect using internal code names. XProtect’s Yara definitions include one new entry for an entity named MACOS.2070d41, and modifications in the signature added in the last update for MACOS.6cb9746, which detects ThiefQuest/EvilQuest.

You can check whether this update has been installed by opening System Information via About This Mac, and selecting the Installations item under Software.

A full listing of security data file versions is given by SilentKnight